Admin rights

By bremington45 ·
I have several old PC's in which all local admin accounts have numerous restrictions on them such as properties of my computer and control panel. I have checked the local policies which are empty and used MS Fixittool to reset the secuirty settings with no luck. Only the Domain admin has full rights. Unfortunatley these computers are not a member of the current domain and there is no way to dis-join and re-join to the new domain because of the restrictions. Seem to have tried all possible aveneus to no avail. Any help would greatly be appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Have you...

by cmiller5400 In reply to Admin rights

Have you run a RSOP?

Add/Remove Snap-in
Resultant set of Policy

That will list where the restrictions are coming from.

Have you checked the registry?

Collapse -


by shhite In reply to Have you...

If I could give you a thumb I would. Never knew about RSOP. Love it!


Collapse -

Admin rights

by bremington45 In reply to Have you...

Thanks, I have not tried RSOP I did run the Group Policy MMC and checked the filtering on both admin computer and user but came up with nothing, even entered new key Disable GPO. I have checked the registry - nothing and deleted the c:\windows\system32\group policy folder? This really has me stumped.

Collapse -

Good start but...

by cmiller5400 In reply to Admin rights

The RSOP looks like the gpedit.msc interface except it pulls together, group policy, local policy etc. It then shows you exactly what policies are being enforced and where they are being enforced from.

Collapse -

If you have the domain admin credentials

by CG IT In reply to Admin rights

you can use those.

Remember that if you unjoin the computer to the domain, the domain administrator account no longer works[cached credentials] and you must change the password on that account to a new password before reboot. you then use those credentials to log in locally because you will have a local profile under the domain administrators user name.

Further, GPO restrictions at the domain level no longer apply after unjoining. Local GPO restrictions done by registry settings will apply.

If you can log on to the local machine using the domain admins user account local machine name\domain name and the domain admin password before unjoining from the domain, then you can make the necessary changes to the restrictions to the local machine administrators security group located in admin tools\ local machine security policy\security settings\local policies\security options\rename administrator account.

Related Discussions

Related Forums